Pan-European data protection cannot be “taken for granted” post-Brexit it has been warned, after British Airways was hit with a fine of £183 million following a cyber attack which affected half-a-million customers.
The record fine was imposed by the Information Commissioner’s Office (ICO), and comes in the wake of customer data – including personal and financial information – being stolen from BA in 2018.
The hack saw data lifted from the airline’s website and mobile app through the use of a fake site, and initial estimates by BA that 380,000 payment cards were affected were proved wrong as the ICO highlighted 500,000 customers were placed at risk.
The £183 million fine – around 1.5% of BA’s global turnover for the financial year ending December 31 – is the largest ever imposed by the ICO, and has been put to the airline in an official Notice of Intention.
Following the ICO ruling, BA Chairman Alex Cruz said: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Meanwhile, the ruling has implications for data protection in the UK following the country’s proposed departure from the European Union on October 31, according to an expert in litigation and employment law.
Barrister Jonathan Compton, Partner at firm DMH Stallard, said: “BA will be able to make representations to the ICO, the Notice of Intention is not a final decision. In any event, whilst BA described the Notice as ‘disappointing’, the fact remains that if you are processing peoples’ personal data including credit cards, you must have the security measures in place to avoid a hack.
“What is interesting about this investigation is the increased co-operation between European Data protection agencies. In this case, the ICO was the lead investigator for concerns raised in other EU countries. Whether this co-operation will continue post Brexit is not a matter that can be taken for granted.”